Skip to content

spec: authenticated udp #2091

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

spec: authenticated udp #2091

wants to merge 2 commits into from

Conversation

@dshulyak
Copy link
Contributor

@dshulyak dshulyak commented Jul 31, 2025
edited
Loading

dnkolegov-ar
dnkolegov-ar reviewed Aug 5, 2025
View reviewed changes
dnkolegov-ar
dnkolegov-ar reviewed Aug 5, 2025
View reviewed changes
dnkolegov-ar
dnkolegov-ar reviewed Aug 5, 2025
View reviewed changes
dnkolegov-ar
dnkolegov-ar reviewed Aug 5, 2025
View reviewed changes
dnkolegov-ar
dnkolegov-ar reviewed Aug 5, 2025
View reviewed changes
dnkolegov-ar
dnkolegov-ar reviewed Aug 7, 2025
View reviewed changes
dnkolegov-ar
dnkolegov-ar previously approved these changes Aug 8, 2025
View reviewed changes
@dshulyak dshulyak marked this pull request as ready for review August 12, 2025 06:39
dnkolegov-ar
dnkolegov-ar reviewed Aug 13, 2025
View reviewed changes
dnkolegov-ar
dnkolegov-ar reviewed Aug 14, 2025
View reviewed changes
dnkolegov-ar
dnkolegov-ar reviewed Aug 14, 2025
View reviewed changes
dnkolegov-ar
dnkolegov-ar reviewed Aug 14, 2025
View reviewed changes
dnkolegov-ar
dnkolegov-ar reviewed Aug 19, 2025
View reviewed changes
Copilot AI review requested due to automatic review settings August 21, 2025 13:56
Copilot AI reviewed Aug 21, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces a comprehensive specification for an authenticated peer-to-peer UDP protocol designed to address denial-of-service protection and traffic prioritization in RaptorCast communication. The protocol follows the WireGuard design with modifications to support secp256k1 keys and AEGIS128L encryption for improved performance.

Key changes:

  • Defines a complete authenticated UDP protocol using Noise IK handshake pattern with secp256k1, AEGIS128L, and BLAKE3
  • Implements DoS protection through cookie-based rate limiting and session management
  • Provides integration specifications for RaptorCast and discovery services

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@dshulyak
commit spec for authenticated udp
c4f7bc6
@dshulyak
spec updates
3b96835 
- remove special validators session handling during high load
- updated under load rate limit threshold to 2000 rps
- more efficient cookie nonce generation
- restructured data packet, auth tag is a part of header
@dshulyak dshulyak mentioned this pull request Oct 3, 2025
Draft
dnkolegov-ar
dnkolegov-ar reviewed Oct 7, 2025
View reviewed changes
dnkolegov-ar
dnkolegov-ar reviewed Oct 7, 2025
View reviewed changes
dnkolegov-ar
dnkolegov-ar reviewed Oct 7, 2025
View reviewed changes
docs/0002_authenticated_udp.md

```mermaid
packet-beta
0: "1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it be Type as in the Field descriptions?

dnkolegov-ar
dnkolegov-ar reviewed Oct 7, 2025
View reviewed changes
docs/0002_authenticated_udp.md
- MAC1: Authentication of entire packet using initiator's static key hash
- MAC2: Cookie response MAC, empty unless under load (DoS protection)

Session establishment follows the Noise IK handshake pattern:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Session establishment follows the Noise IK handshake pattern:
Session establishment follows the NoiseIKpsk2 handshake pattern:

dnkolegov-ar
dnkolegov-ar reviewed Oct 8, 2025
View reviewed changes
docs/0002_authenticated_udp.md
```rust
let temp = keyed_hash(&chaining_key, &[]);
let temp2 = keyed_hash(&temp, &[0x1]);
let send_key = keyed_hash(&temp, &[&temp2, &[0x2]].concat());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In WireGuard, these keys are calculated differently. It should be

let temp = keyed_hash(&chaining_key, &[]);
let send_key = keyed_hash(&temp, &[0x1]);
let recv_key = keyed_hash(&temp, &[&send_key, &[0x2]].concat());

Is it intentional?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks, i will revert to wireguard specification, i can't recall now if i reused it from somewhere or just mistyped

dnkolegov-ar
dnkolegov-ar reviewed Oct 8, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dnkolegov-ar dnkolegov-ar dnkolegov-ar left review comments

@omegablitz omegablitz Awaiting requested review from omegablitz omegablitz is a code owner

@ariqchowdhury ariqchowdhury Awaiting requested review from ariqchowdhury ariqchowdhury is a code owner

@michael-yxchen michael-yxchen Awaiting requested review from michael-yxchen michael-yxchen is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dshulyak @dnkolegov-ar